This guide from Hospitality Financial and Technology Professionals (HFTP(R)) covers safeguards that can be implemented in hospitality businesses today, tips on how to continuously improve security and data regulation compliance.

HFTP GDPR Guidelines: Privacy Policies for Hotels

This document offers points to consider in the development of a hotel’s privacy policy. In view of the multiple organisational and legal structures under which hotels operate, as well as the complexity of the third party landscape that may be part of the complete guest experience, this document serves as a guideline only.

HFTP GDPR Guidelines: Hospitality Guest Registration Cards

This document offers recommendations for guest information collection on the guest registration card along with consent for use. It can be used as a guideline for loyalty cards, health data, export of data outside of the EU, privacy policies and direct marketing.

MIAMI, May 22, 2018 /PRNewswire/ -- The European Union's General Data Protection Regulation (GDPR) comes into effect globally on May 25, introducing dramatically stronger rules on data privacy. The EU hopes to achieve a fundamental change in the way companies think about data - its central idea is "privacy by default." But these new regulations are the broadest ever implemented by the EU, because they are not limited to just EU member nations. In fact, GDPR is worldwide, meaning every country must follow these new rules, or be fined up to 4% of a company's global annual revenue.Many industries will be looking for ways to become compliant with these new laws, but they will soon discover that there are no universal compliance standards, according to the EU's own website, under the section controversial topics. The hotel industry will be the most vulnerable.A Miami, Florida based company, Creating Revolutions, has built a groundbreaking solution to solve such a complex problem. Their multi-patented technology, uniquely solves the lack of universal compliance standards for GDPR by not attacking the liability problem, but instead removing the liability completely.Creating Revolution's communication technology allows smart guest to employee communication in a hotel. Unlike text messaging or SMS, private information is not used by design, while incredibly still maintaining full personalization for the guest. Rather than having to work within the scope of GDPR restrictions, Creating Revolutions does not use any private information, therefore offering zero liability to GDPR.The hotel industry is the most vulnerable because, compared to any other industry it's very focused, with only a few companies controlling the overwhelming majority of the market. This means the EU can go after fewer players, and get the biggest bang for their buck. These penalties are set to be the largest in history, at between 2% - 4% of a company's global annual revenue. Additionally, the hotel industry has more assets within the EU, compared to any other industry, making it much easier to collect those massive fines.Hotels are also specifically designed to attract foreigners, many of which are EU citizens. Unlike the retail or restaurant industry, when a guest checks in to a hotel, they are expected to give up personal information such as a driver's license, credit card, or even their passport. An EU citizen going into a restaurant in the US wouldn't give the hostess their passport, just the same as they wouldn't go to a retail store and hand over their credit card prior to shopping. Due to the majority of hotels requiring guests to give their credit card at check in, it is impossible to keep their personal information to themselves."Are You GDPR Ready have been some of the scariest words that have come across my computer screen. We are actively looking for innovative solution providers like Creating Revolutions, that can remove GDPR liabilities from our hotels," states Marc Lawrence, owner of The Anglers Hotel, a Kimpton Property.Hotel loyalty tools, websites, and guest communication services such as text messaging or SMS will be the most vulnerable to GDPR. Even if a third party is used, the hotel is still liable for any issues of compliance, as stated formally by the GDPR.Creating Revolution's technology, not only gives a hotel access to guest communication, but also offers the most advanced and immersive communication technology available to hotels today. While there is no universal standard for compliance of GDPR, using Creating Revolutions, hotels have a way of protecting themselves from what is considered the most broad and costly regulations in history.Hotels need to be proactive and think out of the box when implementing any technology that could open up highly expensive liabilities regarding privacy laws in the near future, and that's where pioneers like Creating Revolutions are the answer.

Every GM knows the equation for implementing new hotel services. Benefit must be greater than the cost. In 2017, the most popular new craze for hotels was text messaging guests. The cost was low and the benefits were high. But in 2018, that cost is going to sky rocket, thanks to the GDPR or General Data Protection Regulation. If your hotel hasn't heard of the GDPR yet, you better learn fast, because it's going to change how nearly every hotel around the world does business. At its core, the GDPR is the strongest consumer privacy and protection laws in history. Though the GDPR was created by the EU, it's not limited to Europe, its Global. And starting this May, the GDPR goes active. So why will the GDPR affect guest text messaging services in hotels? Because the GDPR has 4 requirements that text messaging just can't accomplish, leaving a legal liability with penalties of up to 4% a hotel company's entire annual revenue.These 4 liabilities include: 1. Usage Explanation 2. Lack of Security 3. Privacy by Design 4. No 3rd Party Protection Barrier Usage Explanation The GDRP requires that a hotel give Usage Explanation in "Non-Legalese". For an industry used to giving guests long legal documents that blanket protect every possible liability from alien attacks to the kitchen sink, those days are gone. How can a hotel cover themselves when they cannot use legal language to protect themselves from legal liability? The GDPR also requires a hotel to easily and clearly explain what they will do with the guests information, how will they use it, by whom, where and more. That is a herculean, considering today's hotels use complex algorithms and artificial intelligence to process a guest's information. How can you easily explain such complexities to the average guest? Add in explanations about how the guest can easily opting in and out easily, and the average 140 character text message your guest is used to, will now be as long as a 19th century Russian novel. Lack of Security The GDPR also has security requirements. Not good news for something like text messaging, which never had any real security and never will. The first text message was sent in 1992, back when dialup modems ruled the world. Since then, the technology has barely changed from that first SMS. What's worse is that SMS is an integral part of Signaling System No.7. More commonly known as SS7, it is a critical part of the architecture that basically all mobile phone systems are built on. The reason SS7 means trouble for SMS is because in 2017, access to the SS7 network started being offered by hackers on the dark web for just $500. With as little information as a phone number, you could now not only eavesdrop on text messages but manipulate or even block messages. The SS7 vulnerability can even track a person without the need of using a virus or malware. Text Messaging has no encryption and its infrastructure is a closed loop system that has no identity confirmation, so anyone can access it today and no one would even know it. But it's not the mere possibility of text message hacking that is the problem. The problem translates into real dollars lost for hotels. Imagine someone creating random messages to your staff, sending them in all directions of your hotel property, based on false requests. Or requesting expensive services or products that get delivered to a guest who hasn't asked for it. And imagine a guest receiving a message they thought was from the hotel, with a link that says billing invoice, which ends up installing a virus into that guest's phone. These days, it doesn't take some sophisticated hacker to screw with your business. Just about anyone can buy hacker software or hacking services, which can steal from your hotel or create chaos. The most popular ransomware today, is easily available to anyone for as little as $20. How secure are you feeling about the security of text messages now? Privacy by Design A more interesting requirement of the GDPR has to do with requiring a system to include privacy by design. Here is how the GDPR explains it: "Privacy by design as a concept has existed for years now, but it is only just becoming part of a legal requirement with the GDPR. At its core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition." Not one text messaging service used today, has an original design that includes privacy as a core element of the design. And adding privacy now to their existing system is not allowed. The only choice a service provider would have is to build their whole system from scratch, and even then, it still wouldn't meet the security liabilities inherent in text messaging. By the way, the SS7 vulnerability was shown publicly in 2014, so any companies that try to state their original design was based on the privacy liabilities of the time, better make sure their original design is older than 5 years ago. No 3rd Party Protection Barrier The fourth liability has been a key protection for most companies today. If they use a third party service and the third party gets hacked, the client company is not liable. The GDPR will not accept that excuse. In fact, the 3rd party providers won't accept that excuse either. Take a look at what Twilio is telling their clients. Twilio is hands down the most popular text messaging infrastructure service today, used by 1000's of Apps and web service providers. In fact, Twilio has a 59.85% market share in the US. So what does Twilio have to say to their clients, as to how well protected they are against GDPR? "Your responsibilities under GDPR will depend on the nature of your business and your personal data processing activities. Nonetheless, broadly speaking, GDPR requires that personal data be:1. Processed lawfully, fairly and in a transparent manner 2. Collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes 3. Adequate, relevant, and limited to what is necessary for achieving those purposes 4. Accurate and kept up to date 5. Stored no longer than necessary to achieve the purposes for which it was collected, and 6. Properly secured against accidental loss, destruction or damage. What's the definition of "personal data" under the GDPR? Personal data means data that relates to an identified or identifiable natural person (aka "data subject"). An identifiable data subject is someone who can be identified, directly or indirectly, such as by reference to an identifier like a name, an ID number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Importantly, this is a very broad definition and can encompass data like IP addresses of a user's personal device, their device ID, or their phone number. It does not matter that the identifier could change (e.g., that the user could change their phone number or device ID). What matters is that the information can be used to "pick that user out of the crowd" even if you don't know who that user is. It is also important to note that the definition of personal data is not tied to concerns about identity theft the way that definitions of personally identifying information (PII) are under many US data breach laws. So, even if it seems like there would be little privacy harm if someone got ahold of your users' IP addresses that does not mean that those IP addresses are not personal data. It just means that this data may not require the same level of data protection as more sensitive personal data like your users' credit card numbers." So what does this all mean for companies who used to feel a barrier of protection, via a middle man? Sounds like those middle men are telling you, "Good Luck with That". In conclusion, text messaging is a convenient technology to use, and key to its use includes the most important identifiers about a guest, their phone number, which is running on the most essential informational device in your guest's life. Does any hotel really want to risk liability on a decades old technology with no real security? Especially with the GDPR and other legislations being released, as well as multiple class action lawsuits, and thanks to Facebook, the strongest consumer sentiment in favor of privacy ever, all occurring NOW? Two supplemental points to consider: 1. What business in the US today has the highest concentration of tourists? Answer, hotels, hence why they are the most susceptible to these new privacy laws. Think about it for a second. Both retail and restaurant are not likely to get a foreign tourist to sign up for anything or to keep any personal details about them. This is completely the opposite of a hotel which usually asks many pieces of information which they store include the person's name, credit card information for later charging, etc. For foreigners they often requests their passport as well. So hotels are the most likely to be affected by the GDPR. 2. Why are text messages and chat the highest vulnerability for hotels? Answer, it's the most important and relevant single identifier of a person. Data, especially coming from multiple sources is useless if you don't have a single consistent identifier to connect all that data together. Now think about this for a minute. There are 1000's of John Smiths out there, so names won't work as a key identifier. And practically everyone has more than one email address. As for addresses, people move. But the mobile phone number is the only consistency no matter what. With numbers portability, it's now easy to carry your mobile number to a different carrier. And with nearly half of all households now mobile only, even when a person moves, they keep their phone number. Even if it's a different area code, or they change jobs or anything, they always take their phone number. Now this isn't just for text messaging but also for the most popular form of chat used today by Europeans, which is WhatsApp. WhatsApp doesn't use a username but rather a phone number as the key identifier